Overview
- The release covers roughly 112 to 114 vulnerabilities across Windows, Office, SQL Server, SMB and Azure services, including eight rated critical.
- CVE-2026-20805 in Desktop Window Manager is under active attack and can leak ALPC information, affecting Windows 10, Windows 11 and Windows Server 2012, 2019, 2022 and 2025.
- Microsoft fixed 16 Office flaws, including 13 remote code execution bugs, with some exploitable via the preview pane without opening a file.
- Two long-standing elevation-of-privilege issues in legacy Agere and Motorola softmodem drivers (CVE-2023-31096, CVE-2024-55414) are resolved by removing the drivers from Windows.
- Administrators should apply updates promptly and renew Secure Boot certificates tied to CVE-2026-21265 to avoid losing the ability to receive future security patches.